I am a bit confused on how to enforce https traffic and also redirect to https. I'm using k8s, kube-lego to issue certificates and is hosted on GCE.
Is there some way to configure the GCE LBs to redirect traffic or some other solution. It is confusing, because there doesn't seem to be an easy solution for this.
Any help is appreciated. Thx.
You can create a LB for HTTPS in section Network services -> Load balancing -> Create load balancer
Choose the option HTTP(S) Load Balancing and configure it.
For example, you can create load balancer for HTTPS traffic to your frontend.
For more details on how it works, you can read in Google Cloud Documentations
Related
We have a custom domain feature, which allows our clients to use our services with their custom DNS records.
For example, our client ACME has a CNAME to ssl.company.com like so login.acme.com -> ssl.company.com. right now we are using a k8s cluster to provide such traffic. On each custom domain, we create an ingress, external service, and a certificate using LetsEncrypt cert-manager.
We started using Cloudflare WAF and they are providing CustomHostname feature which allows us to do the same as our CD cluster but without changing the host header. So
for the example above we get
host: login.acme.com -> login.acme.com
SNI: login.acme.com -> ssl.company.com
The issue is of course how to map a generic k8s ingress to allow such traffic.
when we did the POC we used this method and it worked, but now it stopped. We have also tried default backend and unhosted ingress path.
We are using nginx-ingress controller but migrating to another API gateway like kong.
Any help will be grateful.
I am using ISTIO for service mesh in Azure kubernetes. I have configured private DNS to setup the FQDN. Currently the application is accessible over http protocol(eg: http://myapp.contoso.com) and I would like to be secured with https protocol(eg: https://myapp.contoso.com).
I know I have to change the service port to 443 to support https protocol however how/where do I install the SSL certificate for the application (eg: https://myapp.contoso.com)? Is there anything else to be done as well?
That will depend on where do you want the SSL termination to happen, if you want that to happen inside the Azure kubernetes network, then you can do SSL termination at ingress layer.
Or otherwise you can also do the termination at application gateway layer of Azure ( if you want to avail this service from azure, the redirection from http to https, basic firewall features and adding the pfx certificates at the listeners can be done), ingress can also take care of these things although.
You can install the let's encrypt certificates by using this helm chart and for further steps you can follow this stack overflow link, it shall help you in creating configurations for Istio, ppl have used this solution for Istio as well before
I found the answer here Securing Your Istio Ingress Gateway with HTTPS
There is istio documentation about that.
My goal is to run multiple sites in a cluster (GKE). Here is what I'm trying to achieve:
Each site should be on HTTPS (using cert-manager and letsencrypt) with HTTP/2
Should be possible to enable Google CDN in the load balancer
Method 1:
I tried both https://www.getambassador.io/ and https://github.com/kubernetes/ingress-nginx. But both of them created TCP/UDP (layer 4) load balancer which doesn't allow CDN to be enabled
Method 2:
Later I tried default Ingress(https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer) provided by GKE (layer 7), which creates HTTP(s) load balancer instead of TCP/UDP. CDN worked in this case. But I couldn't configure cert-manager. Couldn't find any docs for that. Not sure whether this load balancer terminates SSL by default which cannot be changed. I think there is also a limit of 15 domains in load balancer for SSL
Method 1 doesn't support CDN and Method 2 doesn't support cert-manager! Could find a way to get both HTTPS and CDN
Is there any way to get this work?
I'm working on a side project to learn Istio in my spare time, part of which is getting my hands dirty with Istio routing.
I'm trying to setup a Virtual Service such that any traffic on "/" gets routed to google.com. I can get Virtual Services to work with any in-cluster pods/services, but I can't seem to configure Istio to route to anything outside the cluster.
Any guidance would be much appreciated, cheers
You have to create a Service Entry for google.com and then create a Virtual Service, referencing google.com in the same way as in-mesh services. Note the issue of the protocols - do you want to access google.com by HTTP or HTTPS? You may want to let Istio perform TLS origination for you.
Configure a service entry for google.com. Refer this documentation overall, and precisely this.
I want to remove Host header at ingress controller before sending the request to backend service. Will appreciate your insight.
My backend service is NOT expecting any Host header.
Thank you !
Google Cloud Platform is working on richer routing and transforms with HTTP(s) Load Balancer, used by Kubernetes Engine Ingress. No ETA is available.
In the meantime, you can use a proxy service in front of the application. See this answer on how to remove a header with nginx.